SECURITY LIFECYCLE REVIEW Acme Corporation

PREPARED BY Acme Acme www.acmecorporation.com

The Security Lifecycle Review summarizes the threat exposure and security risks facing Acme Corporation and the customers connecting to their networks. The data used for this analysis was gathered by Palo Alto Networks during the report time period. The report provides actionable intelligence and risk assessment around the applications, URL traffic, and types of content that are traversing the Acme Corporation network as well as volume and types of threats and vulnerabilities that are observed. Recommendations are provided that can be employed to reduce the overall risk exposure for both the network operator and their customers.

Industry Average Period: 9 DAYS Tue, Apr 02, 2019 - Wed, Apr 10, 2019

Confidential Information - Do Not Redistribute TABLE OF CONTENTS

3 Executive Summary

4 Applications Applications at a Glance Applications that Introduce Risk Applications that Introduce Risk — Detail SaaS Applications

16 URL Activity URL Activity

17 File Transfer File Transfer Analysis

18 Threats Threats at a Glance High-Risk and Malicious File Type Analysis Application Vulnerabilities Known and Unknown Malware Command and Control Analysis

25 Summary

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 2 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

EXECUTIVE SUMMARY FOR Acme Corporation

The Security Lifecycle Review summarizes the business and security risks facing Acme Corporation. The data used for this analysis was gathered by Palo Alto Networks during the report time period. The report provides actionable intelligence around the applications, URL traffic, types of content, and threats traversing the network, including recommendations that can be employed to reduce the organization’s overall risk exposure.

Confidential Information - Do Not Redistribute KY FINDING 631 137 165 APPLICATIONS IN USE HIGH RISK APPLICATIONS SAAS APPLICATIONS 631 total applications are in use, presenting 137 high-risk applications were observed, 165 SaaS applications were observed in your potential business and security challenges. As including those that can introduce or hide network. To maintain administrative control, critical functions move outside of an malicious activity, transfer files outside the adopt SaaS applications that will be managed organization’s control, employees use non- network, or establish unauthorized by your IT team. work-related applications, or cyberattackers communication. use them to deliver threats and steal data.

8,155,948 11,846,851 31,479 VULNERABILITY EXPLOITS TOTAL THREATS MALWARE DETECTED 8,155,948 total vulnerability exploits were 11,846,851 total threats were found on your 488 known malware and 30,991 unknown observed in your organization, including network, including vulnerability exploits, malware events were observed in your brute-force, info-leak and code-execution. malware, and outbound command and control organization. activity.

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 3 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Applications at a Glance

Applications can introduce risk, such as delivering threats, potentially allowing data to leave the network, enabling unauthorized access, lowering productivity, or consuming corporate bandwidth. This section will provide visibility into the applications in use, allowing you to make an informed decision on potential risk versus business benefit.

KY FINDING

High-risk applications such as file-sharing, photo-video and email were observed on the network, which should be investigated due to their potential for abuse. 631 total applications were seen on the network across 28 sub-categories, as opposed to an industry average of 207 total applications seen in other High Technology organizations. 16.2 TB was used by all applications, including networking with 6.97 TB, compared to an industry average of 6.87 TB in similar organizations.

HIGH-RISK APPLICATIONS file-sharing 27 6 The first step to managing security and business risk is identifying which 23 applications can be abused to cause the most harm. We recommend photo-video 6 closely evaluating applications in these categories to ensure they are not 17 introducing unnecessary compliance, operational, or cyber security risk. email 4

social-networking 13 3

internet-utility 10 4

Acme Corporation Industry Average

NUMBER OF APPLICATIONS ON NETWORK BANDWIDTH CONSUMED BY APPLICATIONS

Acme Corporation 631 Acme Corporation 16.20 TB

INDUSTRY AVERAGE 207 INDUSTRY AVERAGE 6.87 TB

ALL ORGANIZATIONS 226 ALL ORGANIZATIONS 4.86 TB

CATEGORIES WITH THE MOST APPLICATIONS CATEGORIES CONSUMING THE MOST BANDWIDTH The following categories have the most applications variants, and should Bandwidth consumed by application category shows where application be reviewed for business relevance. usage is heaviest, and where you could reduce operational resources.

business-systems 178 networking 6.97 TB 65 2.45 TB

154 3.27 TB collaboration media 44 155.07 GB

109 2.86 TB media general-internet 47 966.84 GB

general-internet 102 collaboration 1.78 TB 35 178.20 GB

networking 88 business-systems 1.32 TB 33 3.11 TB

Acme Corporation Industry Average Acme Corporation Industry Average

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 4 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Applications that Introduce Risk

The top applications (sorted by bandwidth consumed) for application subcategories that introduce risk are displayed below, RISK LEVEL including industry benchmarks on the number of variants across other High Technology organizations. This data can be 5 ]- High used to more effectively prioritize your application enablement efforts. 4 3 2 KY FINDING 1 A total of 631 applications were seen in your organization, compared to an industry average of 207 in other High Technology organizations. The most common types of application subcategories are photo-video, management and file-sharing. The application subcategories consuming the most bandwidth are encrypted-tunnel, photo-video and internet-utility.

Number of Applications in the subcategory Industry Average Number of Applications in the subcategory Industry Average

26 8 27 6 Email 363.85 G Remote-Access 73.32 G

TOP EMAIL APPS TOP REMOTE-ACCESS APPS

smtp ms-rdp 134.29 G 24.73 G ms-exchange dameware-mini-remote 101.14 G 23.87 G gmail-base teamviewer-base 92.62 G 8.35 G outlook-web-online citrix 18.10 G 5.68 G comcast-webmail x11 7.88 G 3.90 G yahoo-mail pcoip 3.23 G 2.48 G lotus-notes-base logmeinrescue 2.80 G 761.66 M icloud-mail vnc-base 2.60 G 748.36 M

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 5 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Number of Applications in the subcategory ApplicationsIndustry Average that IntroduceNumber of Applications in the subcategory Risk Industry Average

52 13 15 5 File-Sharing 95.39 G Encrypted-Tunnel 4.36 T

TOP FILE-SHARING APPS TOP ENCRYPTED-TUNNEL APPS

skydrive-base ssl 31.69 G 3.79 T mega ssh 15.47 G 340.80 G ms-onedrive-base dtls 9.98 G 201.97 G hightail-base mobility-xe 7.26 G 12.95 G boxnet-base ciscovpn 6.65 G 7.04 G dropbox ipsec-esp-udp 6.25 G 6.06 G

sourceforge-file-transfer open-vpn 5.26 G 494.07 M mediafire ipsec-esp 5.01 G 431.17 M

Number of Applications in the subcategory Industry Average Number of Applications in the subcategory Industry Average

26 8 45 12 Instant-Messaging 16.76 G Social-Networking 1.28 T

TOP INSTANT-MESSAGING APPS TOP SOCIAL-NETWORKING APPS

facebook-chat facebook-base 10.78 G 1.15 T ms-lync-base twitter-base 2.55 G 69.78 G ms-lync-online tumblr-base 1.87 G 23.84 G msn-base google-plus-base 605.22 M 23.47 G whatsapp-base linkedin-base 293.57 M 12.11 G wechat-base pinterest-base 239.77 M 6.04 G jabber yammer 123.04 M 848.37 M hipchat reddit-base 75.57 M 286.30 M

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 6 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Number of Applications in the subcategory ApplicationsIndustry Average that IntroduceNumber of Applications in the subcategory Risk Industry Average

72 19 1 1 Photo-Video 2.82 T Proxy 773.98 G

TOP PHOTO-VIDEO APPS TOP PROXY APPS

youtube-base http-proxy 909.16 G 773.98 G facebook-video 621.13 G http-video 464.57 G instagram-base 264.37 G rtp-base 147.38 G netflix-streaming 115.92 G streampix 39.57 G rtmpt 39.39 G

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 7 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Applications that Introduce Risk — Detail

RISK APPLICATION CATEGORY SUB CATEGORY  TECHNOLOGY BYTES SESSIONS

5 smtp collaboration email client-server 134.29 GB 339933

4 ms-exchange collaboration email client-server 101.14 GB 149758

4 gmail-base collaboration email browser-based 92.62 GB 911938

3 outlook-web-online collaboration email browser-based 18.1 GB 320821

3 comcast-webmail collaboration email browser-based 7.88 GB 42201

3 yahoo-mail collaboration email browser-based 3.23 GB 28141

5 lotus-notes-base collaboration email client-server 2.8 GB 1893

2 icloud-mail collaboration email client-server 2.6 GB 16057

4 ssl networking encrypted-tunnel browser-based 3.79 TB 62590177

4 ssh networking encrypted-tunnel client-server 340.8 GB 243724

1 dtls networking encrypted-tunnel client-server 201.97 GB 1560

2 mobility-xe networking encrypted-tunnel client-server 12.95 GB 4491

3 ciscovpn networking encrypted-tunnel client-server 7.04 GB 92

2 ipsec-esp-udp networking encrypted-tunnel client-server 6.06 GB 6909

3 open-vpn networking encrypted-tunnel client-server 494.07 MB 9

2 ipsec-esp networking encrypted-tunnel client-server 431.17 MB 2

4 skydrive-base general-internet file-sharing browser-based 31.69 GB 18079

3 mega general-internet file-sharing browser-based 15.47 GB 557

4 ms-onedrive-base general-internet file-sharing client-server 9.98 GB 10929

3 hightail-base general-internet file-sharing browser-based 7.26 GB 863

3 boxnet-base general-internet file-sharing browser-based 6.65 GB 69194

4 dropbox general-internet file-sharing client-server 6.25 GB 65913

2 sourceforge-file-transfer general-internet file-sharing client-server 5.26 GB 41

4 mediafire general-internet file-sharing browser-based 5.01 GB 265

3 facebook-chat collaboration instant-messaging browser-based 10.78 GB 103474

Notes:

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 8 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

RISK APPLICATION ApplicationsCATEGORY thatSUB CATEGORY Introduce RiskTECHNOLOGY — DetailBYTES SESSIONS 2 ms-lync-base collaboration instant-messaging client-server 2.55 GB 4691

3 ms-lync-online collaboration instant-messaging client-server 1.87 GB 66905

4 msn-base collaboration instant-messaging client-server 605.22 MB 4492

1 whatsapp-base collaboration instant-messaging client-server 293.57 MB 379

2 wechat-base collaboration instant-messaging client-server 239.77 MB 18284

5 jabber collaboration instant-messaging client-server 123.04 MB 184

2 hipchat collaboration instant-messaging client-server 75.57 MB 704

4 youtube-base media photo-video browser-based 909.16 GB 229447

4 facebook-video media photo-video browser-based 621.13 GB 255223

4 http-video media photo-video browser-based 464.57 GB 207320

2 instagram-base media photo-video client-server 264.37 GB 436916

3 rtp-base media photo-video client-server 147.38 GB 3278

3 netflix-streaming media photo-video browser-based 115.92 GB 3831

1 streampix media photo-video client-server 39.57 GB 772

4 rtmpt media photo-video browser-based 39.39 GB 724566

5 http-proxy networking proxy browser-based 773.98 GB 17171356

4 ms-rdp networking remote-access client-server 24.73 GB 4413

3 dameware-mini-remote networking remote-access client-server 23.87 GB 62

3 teamviewer-base networking remote-access client-server 8.35 GB 7644

3 citrix networking remote-access client-server 5.68 GB 18827

5 x11 networking remote-access client-server 3.9 GB 2412

1 pcoip networking remote-access client-server 2.48 GB 57

2 logmeinrescue networking remote-access client-server 761.66 MB 1953

5 vnc-base networking remote-access client-server 748.36 MB 62

4 facebook-base collaboration social-networking browser-based 1.15 TB 11094347

Notes:

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 9 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

RISK APPLICATION ApplicationsCATEGORY thatSUB CATEGORY Introduce TECHNOLOGY Risk — DetailBYTES SESSIONS 2 twitter-base collaboration social-networking browser-based 69.78 GB 880559

2 tumblr-base collaboration social-networking browser-based 23.84 GB 45883

2 google-plus-base collaboration social-networking browser-based 23.47 GB 381196

3 linkedin-base collaboration social-networking browser-based 12.11 GB 280885

2 pinterest-base collaboration social-networking browser-based 6.04 GB 89172

3 yammer collaboration social-networking client-server 848.37 MB 35063

1 reddit-base collaboration social-networking browser-based 286.3 MB 7901

Notes:

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 10 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

SaaS Applications

SaaS–based application services continue to redefine the network perimeter. Often labeled “shadow IT,” most of these services are adopted directly by individual users, business teams, or even entire departments. In order to minimize data security risks you need control over SaaS applications used your network .

KY FINDING

File-Sharing subcategory has the most number of unique SaaS applications. In terms of data movement, salesforce-base is the most used SaaS application in your organization.

SAAS APPLICATIONS BY NUMBERS Review the applications being used in your organization. To maintain administrative control, adopt SaaS applications that will be managed by your IT team NUMR OF AA APPLICATION

Acme Corporation 165

INDUSTRY AVERAGE 53

631 ALL ORGANIZATIONS 59 total apps

165 PRCNTAG OF ALL APPLICATION SaaS apps Acme Corporation 26.15%

INDUSTRY AVERAGE 25.6%

ALL ORGANIZATIONS 26.11%

SAAS APPLICATION BANDWIDTH Monitor the volume of data movement to and from SaaS applications. Understand the nature of the applications and how they are being used AA APPLICATION ANDWIDTH

Acme Corporation 567.87 GB

INDUSTRY AVERAGE 335.73 GB

16.20 T ALL ORGANIZATIONS 258.06 GB total data flow

567.87 G PRCNTAG OF ALL ANDWIDTH for SaaS apps Acme Corporation 3.5%

INDUSTRY AVERAGE 4.89%

ALL ORGANIZATIONS 5.31%

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 11 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

TOP SAAS APPLICATION SUBCATEGORIES

The following displays the number of applications in each application subcategory. This allows you to assess the most used applications organization.

TOP AA APPLICATION UCATGORI Y TOTAL NUMR OF APPLICATION

file-sharing 30

general-business 17

email 15

internet-conferencing 14

Number of Applications in the subcategory Industry Average Number of Applications in the subcategory Industry Average

30 13 17 12 File-Sharing 83.35 G General-Business 77.61 G

TOP FILE-SHARING APPS TOP GENERAL-BUSINESS APPS

skydrive-base successfactors 31.69 G 34.76 G mega windows-azure-base 15.47 G 23.71 G ms-onedrive-base concur 9.98 G 15.32 G hightail-base informatica-cloud 7.26 G 3.44 G boxnet-base liveperson 6.65 G 97.51 M dropbox zendesk 6.25 G 82.75 M google-drive-web eventbrite 3.23 G 77.88 M wetransfer constant-contact 1.06 G 64.06 M

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 12 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Number of Applications in the subcategory Industry Average Number of Applications in the subcategory Industry Average

15 8 14 4 Email 124.73 G Internet-Conferencing 88.74 G

TOP EMAIL APPS TOP INTERNET-CONFERENCING APPS

gmail-base webex-base 92.62 G 81.12 G outlook-web-online join-me-base 18.10 G 5.46 G comcast-webmail bluejeans 7.88 G 760.60 M yahoo-mail adobe-meeting 3.23 G 521.69 M icloud-mail zoom 2.60 G 475.97 M aim-mail att-connect 291.19 M 121.96 M 1und1-mail lotuslive-meeting 13.39 M 94.77 M gmx-mail hp-virtual-rooms 2.95 M 52.01 M

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 13 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

TOP SAAS APPLICATIONS

The following displays the top 10 SaaS applications used in your organization and the application usage comparison against your industry peers and all other Palo Alto Networks customers.

TOP AA APPLICATION Y DATA MOVMNT

106.64 GB Salesforce-Base 3.20 GB

92.62 GB Gmail-Base 3.86 GB

81.12 GB Webex-Base 901.82 MB

34.76 GB Successfactors 2.10 GB

31.69 GB Skydrive-Base 541.37 KB

29.56 GB Google-Docs-Base 2.22 GB

23.71 GB Windows-Azure-Base 5.51 GB

18.10 GB Outlook-Web-Online 48.53 GB

16.62 GB Icloud-Base 4.85 GB

15.47 GB Mega 651.06 Bytes

Acme Corporation Industry Average

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 14 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

SAAS APPLICATIONS BY HOSTING RISK

Based on your SaaS usage, it is imperative to regularly review SaaS applications being accessed, who is accessing them, and how they are being used. The following chart displays the number of applications by each hosting risk characteristic.

Poor Terms of Service 56

Data Breaches 17

No Certifications 82

Poor Financial Viability 13

The following charts display the top applications by bandwidth for each hosting risk characteristic.

109.54 G 28.24 G Apps With Poor Terms Of Service Apps With Data Breaches

successfactors mega 34.76 G 15.47 G skydrive-base sap-jam-base 31.69 G 6.37 G mega yahoo-mail 15.47 G 3.23 G teamviewer-base evernote-base 8.35 G 1.13 G sap-jam-base mailchimp 6.37 G 558.07 M join-me-base gotomypc-desktop-sharing 5.46 G 552.63 M new-relic gotomypc-base 2.94 G 519.03 M logmeinrescue yahoo-calendar 761.66 M 132.56 M

111.97 G 1.07 G Apps With No Certifications Apps With Poor Financial Viability

skydrive-base spideroak 31.69 G 606.28 M icloud-base 4shared 16.62 G 281.45 M mega transferbigfiles 15.47 G 92.57 M concur filesanywhere 15.32 G 57.01 M comcast-webmail docstoc-base 7.88 G 21.88 M hightail-base zamzar 7.26 G 7.01 M yahoo-mail teamup-calendar-base 3.23 G 1.56 M icloud-mail ibackup 2.60 G 1.16 M

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 15 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

URL Activity

Uncontrolled Web surfing exposes organizations to security and business risks, including exposure to potential threat propagation, data loss, or compliance violations. The most common URL categories visited by users on the network are shown below.

KY FINDING

High-traffic URL categories were observed on the network, including business-and-economy, computer-and-internet-info and search-engines. Users visited a total of 181,668,949 URLs during the report time period across 61 categories. There was a variety of personal and work-related Web activity present, including visits to potentially risky websites.

HIGH-RISK URL CATEGORIES unknown 508,658 681,194 The Web is a primary infection vector for attackers, with 85,279 high-risk URL categories posing an outsized risk to the private-ip-addresses 783,824 organization. Solutions should allow for fast blocking of 3,682 undesired or malicious sites, as well as support quick proxy-avoidance-and-anonymizers 4,352 categorization and investigation of unknowns. dynamic-dns 2,555 318

malware 777 3,747

Acme Corporation Industry Average

HIGH-TRAFFIC URL CATEGORIES COMMONLY USED URL CATEGORIES The top 5 commonly visited URL categories, along with industry The top 20 most commonly visited URL categories are shown below. benchmarks across your peer group, are shown below. web-based-email 6,636,887 internet-communications-and-telephony 4,519,813 89,472,704 business-and-economy news 4,099,239 1,088,334 streaming-media 3,799,094 21,034,744 web-advertisements 3,470,481 computer-and-internet-info 2,867,920 shopping 2,895,553 internet-portals 2,839,609 13,317,192 search-engines reference-and-research 1,693,873 367,014 online-storage-and-backup 1,535,332 financial-services 1,529,607 social-networking 10,812,855 81,316 music 621,090 sports 590,996 9,060,993 content-delivery-networks unknown 508,658 114,865 travel 505,162 stock-advice-and-tools 500,306 Acme Corporation Industry Average government 333,938 entertainment-and-arts 257,676 health-and-medicine 248,366 personal-sites-and-blogs 238,026 web-hosting 160,762

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 16 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

File Transfer Analysis

Applications that can transfer files serve an important business function, but they also potentially allow for sensitive data to leave the network or cyber threats to be delivered. Within your organization, 57 file types were delivered via a total of 119 applications. The image below correlates the applications most commonly used to transfer files, along with the most prevalent file and content types observed.

Applications File Types

FLASH 430,757 SHOCKWAVE 430,104

FLV 534 MP4 11

ZIP 826,043

WEB-BROWSING 642,198

JAR 84,560

GOOGLE-EARTH 259,799 MP3 14,222 EXCEL 2,929 PDF 16,290

MS-DS-SMB 53,141 PE 47,047 DLL 6,094

SMTP 393,834 EMAIL LINK 343,213

JPEG 5,142 PNG 3,540

119 57 Application(s) transferred File Type(s)

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 17 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Threats at a Glance

Understanding your risk exposure, and how to adjust your security posture to prevent attacks, requires intelligence on the type and volume of threats used against your organization. This section details the application vulnerabilities, known and unknown malware, and command and control activity observed on your network.

KY FINDING

8,155,948 total vulnerability exploits were observed in your organization, including brute-force, info-leak and code-execution. 31,479 malware events were observed, versus an industry average of 128,177 across your peer group. 3,659,424 total command and control requests were identified, indicating attempts by malware to communicate with attackers to download additional malware, receive instructions, or exfiltrate data.

60% 76% < 1% brute-force 4,962,710 99.56% 8,155,948 info-leak 3,111,663 Vulnerability code-execution 74,813 40% Exploit(s) Other 6,762 24% Acme Industry All Corporation Average Organizations

98% 17% < 1% 99.21% 83% 31,479 Unknown Malware 30,991 Malware Known Malware 488 Detection(s) 2% Acme Industry All Corporation Average Organizations

3,659,424 Known Connections 3,659,424 Command and Control Detection(s)

FILES LEAVING THE NETWORK

Transferring files is a required and common part of doing business, but you must maintain visibility into what content is leaving the network via which applications, in order to limit your organization’s exposure to data loss.

via 41 different application(s)

410,126 file(s) potentially leaving the network

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 18 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

High-Risk and Malicious File Type Analysis

Today’s cyber attackers use a variety of file types to deliver malware and exploits, often focusing on content from common business applications present in most enterprise networks. The majority of commodity threats are delivered via executable files, with more targeted and advanced attacks often using other content to compromise networks.

KY FINDING

A variety of file-types were used to deliver threats, and prevention strategies should cover all major content types. You can reduce your attack surface by proactively blocking high-risk file-types, such as blocking executable files downloaded from the Internet, or disallowing RTF files or LNK files, which are not needed in daily business. Ensuring host prevention solutions perform local and remote analysis of such file types will provide additional protection at the endpoint.

HIGH-RISK FILE TYPES

The file types shown represent a greater risk to the organization due to a combination of new vulnerabilities being discovered, existing and unpatched flaws, and prevalence of use in attacks.

Shockwave 24.21% 1.38%

18.91% Email Link 3.06%

5.52% 46.67% JAR of all file(s) 1.05% are ZIP PE 2.89% 7.89%

MP4 1.8% 1.92%

Acme Corporation Industry Average

FILES DELIVERING UNKNOWN MALWARE We recommend investigating the files that may be used to deliver threats both within your organization, and across your peer group. Together, these trends allow you to take preventive action such as blocking high-risk file types across different user groups.

2.25% DLL 1.91%

ELF 1.47% 95.56% 0.8% of all file(s) PE64 0.44% are PE 15.81% Microsoft Word Document 0.28% 4.05%

Industry Average

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 19 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Application Vulnerabilities

Application vulnerabilities allow attackers to exploit vulnerable, often unpatched, applications to infect systems, which often represent one of the first steps in a breach. This page details the top five application vulnerabilities attackers attempted to exploit within your organization, allowing you to determine which applications represent the largest attack surface.

KY FINDING

122 total applications were observed delivering exploits to your environment. 8,155,948 total vulnerability exploits were observed across the following top three applications: ms-ds-smb, msrpc and web-browsing. 169 unique vulnerability exploits were found, meaning attackers continued to attempt to exploit the same vulnerability multiple times.

APPLICATIONS DELIVERING EXPLOITS TOTAL VULNERABILITY EXPLOITS UNIQUE VULNERABILITY EXPLOITS

122 8,155,948 169

13 2,273,389 39

15 2,384,617 44

Acme Corporation Industry Average All Organizations

VULNRAILITY XPLOIT PR APPLICATION (TOP 5 APPLICATIONS WITH MOST DETECTIONS)

DETECTIONS EXPLOIT ID SEVERITY  THREAT TYPE CVE ID

4,022,244 Ms-Ds-Smb

1,492 SMB Fragment Packet Found MEDIUM info-leak

149 Microsoft DCE RPC Big Endian Evasion Vulnerability MEDIUM info-leak

77 Microsoft Windows RPC Fragment Evasion Attempt MEDIUM code-execution CVE-2008-4250

46,925 Microsoft Windows WinReg Access Attempt LOW code-execution

16,208 Microsoft Windows RPC Encrypted Data Detected LOW code-execution

37 Microsoft Windows Service Enum LOW info-leak

3,657,225 Microsoft Windows SMB Negotiate Request INFO brute-force

131,496 Service Enum Through SMB ServiceEnum2 INFO info-leak

120,587 Microsoft Windows SMB Fragmentation RPC Request Attempt INFO info-leak

19,033 Windows SMB Login Attempt INFO brute-force

2,203,936 Msrpc

2,165,221 Microsoft RPC Endpoint Mapper INFO info-leak

38,708 Microsoft RPC ISystemActivator bind INFO info-leak

4 Microsoft Windows SMB Fragmentation RPC Request Attempt UNKNOWN info-leak

3 Microsoft Windows SMB Segmentation of RPC Request Attempt UNKNOWN code-execution

629,376 Web-Browsing

1,094 Bash Remote Code Execution Vulnerability CRITICAL code-execution CVE-2014-6271;CVE- 2014-7169;CVE-2014- 6277;CVE-2014-627 8

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 20 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

DETECTIONS EXPLOIT ID Application VulnerabilitiesSEVERITY  THREAT TYPE CVE ID 693 Microsoft IIS Escaped Characters Decoding Command Executio CRITICAL code-execution CVE-2001-0333 n Vulnerability

576 Apache Wicket Unspecified XSS Vulnerability CRITICAL code-execution

15 Microsoft Internet Information Server ISAPI Extension Buffer Ov CRITICAL code-execution CVE-2001-0500 erflow Vulnerability

12 Joomla Remote Code Execution Vulnerability CRITICAL code-execution CVE-2015-8421

6 Microsoft FrontPage Server Extensions Remote Debug Buffer CRITICAL code-execution CVE-2003-0822 Overrun Vulnerability

2 Microsoft IIS .printer ISAPI Extension Buffer Overflow CRITICAL overflow CVE-2001-0241

788 Microsoft Windows win.ini access attempt HIGH info-leak

641 Generic HTTP Cross Site Scripting Attempt HIGH code-execution

498 Microsoft IIS Extended Unicode Improper Canonicalization Dire HIGH code-execution CVE-2000-0884 ctory Traversal

260,439 Ssl

1 OpenSSL SSLv2 Malformed Client Key Parsing Buffer Overflow CRITICAL code-execution CVE-2002-0656 Vulnerability

15 OpenSSL AES-NI CBC Information Disclosure Vulnerability HIGH info-leak

1 Mozilla Network Security Services SSLv2 Server Stack Overflow HIGH overflow CVE-2007-0009

26 OpenSSL TLS Malformed Heartbeat Request Found - Heartble MEDIUM info-leak CVE-2014-0160 ed

5 OpenSSL TLS Heartbeat Information Disclosure Vulnerability - MEDIUM overflow CVE-2011-5171 Reverse Heartbleed

44,970 SSLv3 Found in Server Response LOW info-leak CVE-2014-3566

201,034 POODLE Bites Vulnerability INFO info-leak CVE-2014-8730

13,700 Export RSA cipher suite detected INFO info-leak CVE-2015-0204;CVE -2015-1637;CVE-2015 -1067;CVE-2015-0138

210 Use of insecure SSLv3.0 Found in Server Response INFO info-leak CVE-2014-3566

6 OpenSSL TLS Heartbeat Found INFO info-leak

201,502 Ssh

2,775 SSH User Authentication Brute-force Attempt HIGH brute-force

198,708 SSH2 Login Attempt INFO brute-force

19 OpenSSH AES-GCM Auth Remote Code Execution Vulnerability UNKNOWN code-execution CVE-2013-4548

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 21 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Known and Unknown Malware

Applications are the primary vector used to deliver malware and infect organizations, communicate outbound, or exfiltrate data. Adversaries’ tactics have evolved to use the applications commonly found on the network, or within an endpoint operating system, into which traditional security solutions have little or no visibility.

KY FINDING

7 total applications were observed delivering malware to your organization. Many applications delivering malware are required to run your business, which means you need a solution that can prevent threats, while still enabling the applications. While most malware is delivered over HTTP or SMTP, advanced attacks will often use other applications, including those on non-standard ports or employing other evasive behavior. 8 malware were first detected at the endpoint. Coordinating threat information between network and endpoint security products ensures consistent protection even when devices leave the corporate network and prevents threats through secondary vectors.

Other: 130 ms-ds-smb: 342 flash: 1,664 8

rss: 5,869 Malware sample(s) first discovered at the endpoint 31,479 Total Malware ftp: 15,518 Known: 488 Unknown: 30,991 7 Application(s) web-browsing: found delivering malware 7,956

30,991 UNKNOWN MALWARE 488 KNOWN MALWARE ftp ms-ds-smb 15,514 342 2,196 2,296 web-browsing smtp 7,935 105 4,194 1,037 rss web-browsing 5,869 21 1,089 970,036 flash http-proxy 1,663 15 405 18,354 smtp ftp 10 4 11,322 982 flash 1 6

Acme Corporation Unknown Malware Acme Corporation Known Malware Industry Average

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 22 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Command and Control Analysis

Command-and-control (CnC) activity often indicates a host in the network has been infected by malware, and may be attempting to connect outside of the network to malicious actors, reconnaissance attempts from outside, or other command-and-control traffic. Malware running on managed hosts is evading the active endpoint prevention product that is allowing this activity to occur. Understanding and preventing this activity is critical, as attackers use CnC to deliver additional malware, provide instruction, or exfiltrate data. Detection and response products may provide detail on the malicious network and host activity that has occurred as a result of the identified malware.

KY FINDING

7 total applications were used for command-and-control communication. 3,659,424 total command-and-control requests were seen on your network. 3,472 total suspicious DNS queries were observed. Active command-and-control should be stopped immediately. Endpoint prevention running on managed hosts with this activity should have policies reviewed. Network products with application visibility and awareness of malicious DNS can prevent these communications, however the malware on the host must also be stopped to prevent an adversaries ongoing efforts.

http-proxy: 22 Other: 24 new-relic: 48 dns: 3,472 unknown-udp: 13,098 3,659,424 7 CnC Request(s) Application(s) were seen on your network. were used for Command-and-Control communication.

sip: 3,642,760

3,472 SUSPICIOUS DNS QUERIES 3,655,952 SPYWARE PHONE HOME TOP 10 TOP 10 generic:haibinw.com Sipvicious.Gen User-Agent Traffic 253 3,642,760 generic:51132.7766.org Win32.Conficker.C p2p 207 13,098 generic:m29091.ent.agt.ab.ca Suspicious.Gen Command And Control Traffic 194 48 generic:extremesports.kz KeyKey 186 22 generic:nitedtoolsbendigo.com.au Generic User-Agent Traffic 151 7 generic:bmlv-gv.eu Suspicious user-agent strings 151 5 generic:yoky1z.eu WGeneric.Gen Command and Control Traffic 128 4 generic:pttulwpcanv.net MyWay_Speed_Bar Track activity 1 115 3 generic:smecogtacvicnrl.jp Suspicious User-Agent Traffic 102 2 generic:hmeodufryayfql.de Hoax User-Agent Traffic 101 2

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 23 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Top Malware Family Tags CommandTop Campaign Tags and Control AnalysisTop Malicious Behavior Tags

Tag Count Tag Count Tag Count

VirLock 1,204 gsrt_jsa_Pecunia 7 IL_tbar_enum_proc 2,361 esses gsrt_jsa_Sivis_UPD SilverTerrier 2 859 ATE gsrt_jsa_MaintainPe 1,651 BlackVine 1 rsistence ELFMirai 311 gsrt_mscott_misc_ gsrt_malim_Win_S 1 1,437 Gafgyt 264 Tekide ervice_Created

Satori 134 OperationComando 1 HttpNoUserAgent 1,345

Gepys 115 il_tm_use_wininet 1,327

gsrt_ysamuel_MSV Upatre 78 1,237 BVM60 il_tm_Unruy_key 77 DisableUAC 1,192 Unruy 76 gsrt_malim_enum_t 808 hreads GandCrab 71

ProcessInjection 716

gsrt_mscott_Super 471 HiddenFiles

- Linked to threats that belong to a certain Malware Family

- Part of a larger Campaign of attacks

- A type of Malicious Behavior that indicates that your system has been compromised

- Public tags are tags shared with the AutoFocus community by your organization and other AutoFocus users. They are visible to all AutoFocus users.

- Private tags are visible only to your organization. Allows you to tag a sample hash or a set of search conditions that might be specific or especially significant to your environment.

- Unit 42 (alerting) tags are created by Unit 42 (the Palo Alto Networks® threat intelligence and research team) for threats and campaigns that pose a direct security risk.

- Unit 42 creates alerting tags for threats discovered by individuals or organizations outside of Unit 42. These tags have a pointed and marked top right corner.

THRAT Y DTINATION COUNTRI

Malware threats sent against 1 countries. 100.00% of malware was destined to India, a total of 275 malware sessions.

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 24 Confidential Information - Do Not Redistribute

EXECUTIVE SUMMARY APPLICATIONS SAAS APPLICATIONS URL ACTIVITY FILE TRANSFER THREATS SUMMARY

Summary: Acme Corporation

The analysis determined that a wide range of applications and cyber attacks were present on the network. This activity represents potential business and security risks to Acme Corporation, but also an ideal opportunity to implement safe application enablement policies that, not only allow business to continue growing, but reduce the overall risk exposure of the organization.

HIGHLIGHTS INCLUDE: High-risk applications such as file-sharing, photo-video and email were observed on the network, which should be investigated due to their potential for abuse. 631 total applications were seen on the network across 28 sub-categories, as opposed to an industry average of 207 total applications seen in other High Technology organizations. 8,155,948 total vulnerability exploits were observed across the following top three applications: ms-ds-smb, msrpc and web-browsing. 31,479 malware events were observed, versus an industry average of 128,177 across your peer group. 7 total applications were used for command and control communication.

KY FINDING 631 137 165

APPLICATIONS IN USE HIGH RISK APPLICATIONS SAAS APPLICATIONS

8,155,948 11,846,851 31,479 VULNERABILITY EXPLOITS TOTAL THREATS MALWARE DETECTED Known: 488 | Unknown: 30,991

RCOMMNDATION

Implement safe application enablement polices, by only allowing the applications needed for business, and applying granular control to all others. Address high-risk applications with the potential for abuse, such as remote access, file sharing, or encrypted tunnels. Address command and control communication by examining the network or host source. Detection and response or logging solutions may provide an indication of what occurred. Deploy a security solution that can detect and prevent threats, both known and unknown, to mitigate risk from attackers. Use a solution that can automatically re-program itself and other security products, creating and coordinating new protections for emerging threats, sourced from a global community of other enterprise users. Implement managed host policies to restrict file less attack vectors and decrease command-and-control risk by sharing near-real-time threat information across security products.

ACME CORPORATION | SECURITY LIFECYCLE REVIEW INDUSTRY AVERAGE PERIOD: 9 DAYS 25 Confidential Information - Do Not Redistribute